Researchers at the cybersecurity firm Volexity on Friday revealed that a Chinese hacking group โStormBambooโ has successfully compromised an internet service provider (ISP) to abuseย automatic software updates with malware.
This Chinese cyber-espionage threat group, also tracked as Evasive Panda, Daggerfly, and StormCloud, has been active since at least 2012, targeting organizations across mainland China, Hong Kong, Macao, Nigeria, and several Southeast and East Asian countries (via BleepingComputer).
During one incident investigated by Volexity, the threat researchers discovered that StormBamboo targeted software that used insecure update mechanisms, such as HTTP, and did not properly validate the digital signatures of installers to deploy malware payloads on victimsโ machines running macOS and Windows.
“When these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to MACMA and POCOSTICK (aka MGBot),” Volexityย explainedย in a report published on Friday.
To do that, the attackers interrupted and modified victims’ DNS requests and redirected them to malicious IP addresses.
This technique delivered malware to the victim’s systems from StormBamboo’s command-and-control (C2) servers, thus requiring no user interaction.
Volexity found StormBamboo targeting multiple software vendors, who use automatic update mechanisms, using differing levels of complexity in their steps for pushing malware.
โFor instance, they took advantage of 5KPlayer requests to update the youtube-dl dependency to push a backdoored installer hosted on their C2 servers,โ the BleepingComputer report stated.
โAfter compromising the target’s systems, the threat actors installed a malicious Google Chrome extension (ReloadText), which allowed them to harvest and steal browser cookies and mail data.โ
The threat researchers notified and worked with the ISP, which then investigated important traffic-routing devices on their network. Once the ISP rebooted, it took specific network components offline, which immediately stopped the DNS poisoning.
โStormBamboo is a highly skilled and aggressive threat actor who compromises third parties (in this case, an ISP) to breach intended targets.
The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances,โ the researchers concluded.